Skip to Content
CSE4303Introduction to Computer Security (Lecture 10)

CSE4303 Introduction to Computer Security (Lecture 10)

MACs

MACs from Hash Functions

Construction:

Sbig(k,m)=S(k,H(m))S_{big}(k, m) = S(k, H(m))
Vbig(k,m,t)=V(k,H(m),t)V_{big}(k, m, t) = V(k, H(m), t)

If:

  • SS is secure MAC for short messages
  • HH is collision resistant

Then SbigS_{big} is secure MAC.

If collision exists: If H(m0)=H(m1)H(m_0) = H(m_1), query tag for m0m_0, forge (m1,t)(m_1, t).

HMAC

HMAC(k,m)=H((kopad)H((kipad)m))HMAC(k, m) = H((k \oplus opad) \| H((k \oplus ipad) \| m))

Used in:

  • TLS
  • IPsec
  • SSH

Properties:

  • Built from hash function (for example SHA-256)
  • Provably secure under PRF assumptions

Timing Attacks on MAC Verification

Problem: Byte-by-byte comparison leaks timing information.

Attack:

  1. Send random tag.
  2. Guess first byte.
  3. Detect timing increase.
  4. Repeat per byte.

Defense 1: Constant-time comparison loop.

Defense 2: Double-HMAC comparison: Compare HMAC(k,mac)HMAC(k, mac) with HMAC(k,sig)HMAC(k, sig).

Authenticated Encryption (AE)

AE provides:

  1. Confidentiality (CPA security)
  2. Ciphertext integrity

Cipher:

E:K×M×NCE : K \times M \times N \to C
D:K×C×NM{}D : K \times C \times N \to M \cup \{\bot\}

Ciphertext integrity: Attacker cannot produce new valid ciphertext.

Theorem: AE implies CCA security.

Implication: If D(k,c)D(k, c) \neq \bot,
receiver knows sender had key.

Encrypt-then-MAC

Correct construction:

  1. Compute c=E(kE,m)c = E(k_E, m)
  2. Compute tag=S(kI,c)tag = S(k_I, c)
  3. Send (c,tag)(c, tag)

Encrypt-then-MAC is always secure ordering.

AE Standards

  • GCM: CTR mode encryption then polynomial MAC
  • CCM: CBC-MAC then CTR mode encryption
  • EAX: CTR mode encryption then CMAC

All support AEAD: Authenticated Encryption with Associated Data.
Example: authenticate packet headers but do not encrypt them.

Asymmetric Crypto Authentication: Digital Signatures

Motivation

Goal: Bind document to author.

Digital problem: Anyone can copy a visible signature from one document to another.

Solution: Make signature depend on document contents.

Digital Signature Scheme

Components:

  • Secret signing key sksk
  • Public verification key pkpk
  • Sign(sk,m)signatureSign(sk, m) \to signature
  • Verify(pk,m,sig)Verify(pk, m, sig) \to accept or reject

Property: Anyone can verify.
Only signer can produce valid signature.

Signing a Certificate

Process:

  1. Compute hash of data.
  2. Sign hash with secret key.
  3. Attach signature to data.

Verification:

  1. Compute hash of received data.
  2. Verify signature using public key.
  3. Accept if hashes match.

Software Signing

Software vendor:

  • Signs update with secret key.
  • Publishes update and signature.

Clients:

  • Use vendor public key.
  • Verify signature.
  • Install only if valid.

Allows distribution via untrusted hosting site.

Review: Three Approaches to Data Integrity

  1. Collision resistant hashing
    Requires secure read-only public space.
    No secret keys.
    Suitable for public verification.

  2. MACs
    Requires shared secret key.
    Must compute new MAC per user.
    Suitable when one signs and one verifies.

  3. Digital signatures
    Requires long-term secret key.
    Public verification.
    Suitable when one signs and many verify.

Crypto Summary

Cryptographic goals:

  • Confidentiality
  • Data integrity
  • Authentication
  • Non-repudiation

Primitives:

  • Hash functions
  • MACs
  • Digital signatures
  • Symmetric ciphers
  • Public key ciphers
Last updated on
Introduction to Computer Security (Lecture 9)Introduction to Computer Security (Lecture 11)